Privacy Policy
General Information
Protecting your personal data is important to us. Personal data is processed in accordance with applicable Swiss data protection law (revDSG) and, where applicable, the GDPR.
This Privacy Policy explains how Earlybyte GmbH collects, processes, stores, and protects personal data when you use the Earlybyte Navbar website and the Carrd Navbar Builder application.
Responsible Entity
Earlybyte GmbH
Tössuferweg 25
8406 Winterthur
Switzerland
info@earlybyte.ch
This website and the Carrd Navbar Builder are operated by Earlybyte GmbH.
Data We Collect
Depending on how you use the website and application, we may collect and process the following information.
Account Information
- Name or display name
- Email address
- Supabase user ID
- Linked authentication provider information
Authentication & Session Data
- Session identifiers
- Login timestamps
- Session expiry timestamps
- Security-related authentication information
Navbar Builder Data
- Saved navbar configurations
- Navigation labels
- Links, dropdown structures, and URLs
- Styling, layout, color, and font settings
- Preview-related configuration data
Exported navbar snippets are standalone code snippets copied by the user. Once exported and added to third-party platforms such as Carrd, Earlybyte GmbH no longer controls how that code is hosted or used.
Billing & Purchase Information
- Stripe customer ID
- Subscription information
- Purchase status
- Plan and entitlement information
- Billing status and timestamps
Payment card information is processed directly by Stripe and is not stored on our servers.
Technical & Usage Data
- IP address
- Browser and device information
- Operating system
- Referrer URLs
- Usage and interaction data
- Analytics information
Purpose of Data Processing
We process personal data for the following purposes:
- Providing and operating the Carrd Navbar Builder
- User authentication and account management
- Saving and managing navbar configurations
- Processing subscriptions and one-time purchases
- Managing user entitlements and access rights
- Improving functionality and usability
- Ensuring platform security and preventing abuse
- Responding to support requests and communication
- Analysing website and application usage
Legal Basis for Processing
Where Swiss data protection law applies, we process personal data only where permitted by applicable law. Where the GDPR applies, the legal basis depends on the purpose of processing:
- Contract performance: providing the Carrd Navbar Builder, user accounts, saved navbars, generated-code access, subscriptions, one-time purchases, and support.
- Legal obligation: accounting, tax, VAT, bookkeeping, compliance, and legally required retention.
- Legitimate interest: platform security, fraud prevention, abuse prevention, service improvement, technical operations, and necessary business administration.
- Consent: analytics, marketing communication, and optional cookies or tracking technologies where consent is required.
Authentication & User Accounts
Authentication is handled through Supabase Auth. Supported authentication methods may include:
- Google OAuth
- Microsoft OAuth
- Email/password authentication
- Email confirmation and password reset flows
Supabase access tokens are validated server-side and are not permanently stored in the application database. After successful validation, the application creates an internal session using a secure session cookie.
We may send service-related emails such as account confirmations, password resets, billing notifications, authentication-related communication, or support messages.
Cookies & Sessions
The application uses cookies required for authentication and session management.
Session Cookie
The Carrd Navbar Builder uses a session cookie named:
carrd_navbar_builder_session
This cookie:
- stores an opaque session token
- does not contain Supabase access tokens
- is used for authentication and security purposes
- expires automatically after a defined period
Cookies may also be used for analytics and functionality purposes.
Where analytics or optional cookies are used, they are only used where permitted by applicable law and, where required, after consent. Users can manage or withdraw cookie and analytics consent through the consent controls provided on the website, if available, and may also block or delete cookies through their browser settings. Please note that disabling required cookies may affect application functionality.
Google Analytics
This website may use Google Analytics to better understand how visitors use the website and application.
Google Analytics may collect information such as:
- visited pages
- session duration
- browser information
- approximate geographic region
- device information
Google Analytics may use cookies and similar technologies.
Data processed by Google may be transferred to servers outside Switzerland or the European Union.
If Google Analytics is active, users can opt out or manage analytics consent through the website's consent controls, where available. Users may also use browser settings, privacy extensions, or Google's available opt-out tools to limit analytics tracking.
Additional information can be found in Google's Privacy Policy.
Google Fonts
The website and legal embeds may load the Manrope font from Google Fonts. When Google Fonts are loaded from Google's servers, technical information such as the user's IP address, browser information, and requested font files may be transmitted to Google.
Payments & Billing
Payments, subscriptions, checkout, and billing functionality are handled through Stripe.
Stripe may process:
- payment information
- billing addresses
- transaction information
- subscription status
- customer identifiers
We only store billing-related information necessary to manage purchases and subscriptions.
Payment card details are processed directly by Stripe and are never stored on our servers.
More information:
Third-Party Services
We use third-party services to operate the website and application infrastructure.
Supabase
Used for:
- authentication
- account management
- OAuth login flows
Stripe
Used for:
- subscriptions
- one-time purchases
- billing management
- payment processing
Mailjet
Used for:
- transactional emails
- authentication-related emails
- password reset emails
- account confirmation emails
- service communication
Google Analytics
Used for:
- website and usage analytics
Carrd
Used for:
- public website hosting
- website page delivery
- embedded legal page presentation
Google Fonts
Used for:
- loading and displaying website fonts
Hetzner
Used for:
- hosting, application infrastructure, and server operations
Infomaniak
Used for:
- DNS infrastructure and related services
These providers may process data outside Switzerland or the European Union in accordance with their own privacy policies and applicable safeguards.
Data Retention
We retain personal data only for as long as necessary to provide services, fullfil contractual obligations, comply with legal requirements, or maintain legitimate business interests.
- Active account and navbar data is retained while the account exists.
- Session data expires automatically after a defined period.
- Billing and entitlement information may be retained for accounting, fraud prevention, and legal obligations.
- Deleted accounts may result in the removal of associated navbar data and local application records.
Account Deletion
Users can request or initiate account deletion.
Deleting an account may remove:
- saved navbar configurations
- local application user records
- active sessions
- entitlement records
- local subscription records
Some billing or legal records may need to be retained where required by applicable law.
Security Measures
We implement appropriate technical and organisational measures to protect personal data.
These measures include:
- hashed session token storage
- server-side token validation
- restricted access controls
- encrypted connections (HTTPS)
- security-focused session management
While we strive to protect all data, no internet-based service can guarantee absolute security.
International Data Transfers
Some third-party providers used by the application may process or store data outside Switzerland or the European Union.
Where applicable, appropriate safeguards are used to ensure adequate protection of personal data.
Your Rights
Depending on applicable law, you may have the right to:
- request access to your personal data
- request correction of inaccurate data
- request deletion of personal data
- object to certain processing activities
- withdraw consent where processing is based on consent
- request restriction of processing, where the GDPR applies
- request data portability, where the GDPR applies
Requests can be submitted to:
info@earlybyte.ch
You may also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC). If the GDPR applies to the processing of your personal data, you may also have the right to lodge a complaint with a competent supervisory authority in the EU or EEA.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in legal requirements, services, or technical implementation.
The latest version published on this website is always applicable.
Contact
If you have questions regarding this Privacy Policy or the processing of personal data, please contact:
Earlybyte GmbH
info@earlybyte.ch
